Silence, Contract Crew

Description

(Group-IB) Group-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group’s activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts’ hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.

Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.

Group-IB found several relationships between Silence and TA505, Graceful Spider, Gold Evergreen.

Names

Name	Name-Giver
Silence	Kaspersky
Contract Crew	iDefense
Whisper Spider	CrowdStrike
TEMP.TruthTeller	FireEye
ATK 86	Thales
TAG-CR8	Recorded Future

Country

• Unknown

Motivation

• Financial crime

First Seen

2016

Observed Sectors

• Financial
• Government
• Manufacturing
• Pharmaceutical

Observed Countries

• Antigua and Barbuda
• Armenia
• Australia
• Austria
• Azerbaijan
• Bangladesh
• Belarus
• Belgium
• Belize
• Bulgaria
• Canada
• Chile
• China
• Costa Rica
• Croatia
• Cyprus
• Czech
• Finland
• France
• Georgia
• Germany
• Ghana
• Gibraltar
• Greece
• Hong Kong
• India
• Indonesia
• Ireland
• Israel
• Jamaica
• Jordan
• Kazakhstan
• Kenya
• Kyrgyzstan
• Latvia
• Luxembourg
• Malaysia
• Mexico
• Moldova
• Netherlands
• Norway
• Pakistan
• Panama
• Poland
• Romania
• Russia
• Saudi Arabia
• Serbia
• Seychelles
• Singapore
• South Korea
• Spain
• Sri Lanka
• Sweden
• Switzerland
• Taiwan
• Thailand
• Turkey
• UAE
• UK
• Ukraine
• USA
• Uzbekistan
• Vietnam

Tools

• Atmosphere
• Cleaner
• EmpireDNSAgent
• Farse
• Ivoke
• Kikothac
• Meterpreter
• ProxyBot
• ReconModule
• Silence
• TinyMet
• xfs-disp.exe
• Living off the Land

Operations

• 2016-06: Silence: Moving into the Darkside https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf
• 2018-05: Silence 2.0: Going Global https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
• 2019-05: ‘Silence’ hackers hit banks in Bangladesh, India, Sri Lanka, and Kyrgyzstan The only incident that is currently public is one impacting Dutch Bangla Bank Limited, a bank in Bangladesh, which lost more than $3 million during several rounds of ATM cashout attack. https://www.zdnet.com/article/silence-hackers-hit-banks-in-bangladesh-india-sri-lanka-and-kyrgyzstan/
• 2020-01: New financially motivated attacks in Western Europe traced to Russian-speaking threat actors https://www.group-ib.com/media/silence_ta505_attacks_in_europe/
• 2022-08: Breaking the silence - Recent Truebot activity https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

Information

• https://securelist.com/the-silence/83009/
• https://reaqta.com/2019/01/silence-group-targeting-russian-banks/
• https://newsroom.accenture.com/news/accenture-report-reveals-new-cybercrime-operating-model-among-high-profile-threat-groups.htm

Mitre Attack

• https://attack.mitre.org/groups/G0091/

Playbook

• https://www.fortinet.com/blog/threat-research/silence-group-playbook.html

Other Information

Uuid

743a5e7c-a08f-47e1-861c-8789ea1189f9

Last Card Change

2022-12-27